b' FEDERAL ELECTION COMMISSION\n\n  OFFICE OF INSPECTOR GENERAL\n\n\n\n\n            FINAL REPORT\n\nAudit of the Federal Election Commission\xe2\x80\x99s\n  Fiscal Year 2006 Financial Statements\n\n\n\n\n               November 2006\n          ASSIGNMENT No. OIG-06-02\n\x0c                           Table of Contents\n\nTransmittal Memorandum\n\n\nIndependent Auditor\xe2\x80\x99s Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa61\n\nIndependent Auditor\xe2\x80\x99s Report on Compliance and Other Matters.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa63\n\nIndependent Auditor\xe2\x80\x99s Report on Internal Control\xe2\x80\xa6 \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa64\n\x0c                     FEDERAL ELECTION COMMISSION\n                     WASHINGTON, D.C. 20463\n\n\n\n\nOffice of Inspector General\n\nMEMORANDUM\n\nTO:            The Commission\n\nFROM:          Inspector General\n\nSUBJECT:       Audit of the Federal Election Commission\'s Fiscal Year 2006 Financial\n               Statements\n\nDATE:          November 15,2006\n\nThis letter transmits the final audit report of the Federal Election Commission\'s (FEC) fiscal year\n(FY)2006 financial statements. In accordance with the Accountability of Tax Dollars Act of\n2002, the FEC prepared financial statements in accordance with Office of Management and\nBudget (OMB) Circular No. A-136, Financial Reporting Requirements, revised, and subjected\nthem to audit.\n\nThe Chief Financial Officers Act of 1990 (Public Law 101-576, commonly referred to as the\n"CFO Act"), as amended, requires the FEC Office of Inspector General (OIG), or an independent\nexternal auditor as determined by the Inspector General, to audit the agency financial statements.\nUnder a contract monitored by the OIG, Clifton Gunderson LLP (CG-LLP), an independent\ncertified public accounting firm, performed the audit of the FEC\'s FY 2006 financial statements.\n\nThe FEC\'s continued commitment to sound financial management resulted in improvement in\nseveral areas. Specifically, improvements in information technology resulted in the removal of\nthe area as a material weakness; this area is a reportable condition. Further, financial reporting\nand payroll have been removed from the list of reportable conditions in FY 2006. In addition,\nthe FEC implemented a new cost allocation process in fiscal year 2006. The Inspector General\nbelieves the new system will yield W h e r improvements in internal controls and reporting of\nFEC program costs in fiscal year 2007 and beyond.\n\x0cAudit Process\nCG-LLP conducted the audit in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin\nNo. 06-03, Audit Requirementsfor Federal Financial Statements, as amended. The results of the\nfinancial statement audit are detailed in three reports: opinion on the financial statements; report\non internal control; and report on compliance with laws and regulations.\n\nOpinion on the Financial Statements\nThe audit included an examination, on a test basis, of evidence supporting the amounts and\ndisclosures in the financial statements. The audit also included assessing the accounting\nprinciples used and significant estimates made by management, as well as evaluating the overall\nprincipal statements\' presentation.\n\nCG-LLP audited the balance sheets of the Federal Election Commission as of September 30,\n2006 (FY 2006) and 2005 (FY 2005), and the related statements of net cost, changes in net\nposition, budgetary resources, financing, and custodial activity for the years then ended.\n\nIn FY 2006 and 2005, CG-LLP was not able to obtain sufficient competent audit evidence to\nsupport the allocation of program costs reported on the statements of net cost. As a result, CG-\nLLP was not able to apply auditing procedures necessary to conduct the audit in accordance with\nthe standards and the OMB guidance mentioned above. Therefore, CG-LLP issued a qualified\nopinion on the statements of net cost.\n\nExcept for the effects of such adjustments, if any, to the FY 2006 and FY 2005 statements of net\ncost referred to in the preceding \'paragraph, as might have been necessary had CG-LLP been able\nto obtain sufficient competent audit evidence and perform adequate audit procedures on the\nallocation of the program costs, the CG-LLP opined the financial statements present fairly, in all\nmaterial respects, the financial position of the FEC as of September 30,2006 and 2005, and its\nnet cost, changes in net position, budgetary resources, reconciliation of net cost to budgetary\nobligations, financing and custodial activity for the years then ended in conformity with\naccounting principles generally accepted in the United States of America.\n\nReport on Internal Control\nCG-LLP\'s planning and performance of the audit included consideration of the FEC\'s internal\ncontrol over financial reporting. The CG-LLP auditors obtained an understanding of the FEC\'s\ninternal control; determined whether internal controls had been placed in operation; assessed\ncontrol risk; and performed tests of controls in order to determine auditing procedures for the\npurpose of expressing an opinion on the fmancial statements. The auditors limited their internal\ncontrol testing to those controls necessary to acheve the objectives described in OMB Bulletin\nNo. 06-03 and consequently CG-LLP did not provide an opinion on internal control.\n\x0cInternal control as it relates to the financial statements, is a process, affected by agency\'s\nmanagement and other personnel, designed to provide reasonable assurance of the following:\n(1) transactions are properly recorded, processed, and summarized to pennit preparation of the\nfinancial statements and assets are safeguarded against loss from unauthorized acquisition, use or\ndisposition; (2) transactions are executed in accordance with laws governing the use of budget\nauthority and other laws and regulations that could have a direct and material effect on the\nfinancial statements and other laws and regulations identified by OMB; and (3) transactions and\nother data that support reported performance measures are properly recorded, processed, and\nsummarized to permit the preparation of performance information in accordance with criteria\nstated by management.\n\nIn performing the testing of internal control necessary to achieve the objectives in OMB Bulletin\nNo. 06-03, the auditors identified matters relating to significant deficiencies in the design or\noperation of FEC\'s internal control. The testing of internal control identified both reportable\nconditions and material weaknesses. The American Institute of Certified Public Accountants\n(AICPA) categorizes reportable conditions as matters coming to the auditor\'s attention relating\nto significant deficiencies in the design or operation of the internal control that, in the auditor\'s\njudgment, could adversely affect the agency\'s ability to record, process, summarize, and report\nfinancial data consistent with the assertions by management in the financial statements. Material\nweaknesses are reportable conditions in which the design or operation of one or more of the\ninternal control components does not reduce to a relatively low level the risk that misstatements\ncaused by error or fraud in amounts that would be material in relation to the financial statements\nbeing audited may occur and not be detected within a timely period by employees in the normal\ncourse of performing their assigned functions.\n\nCG-LLP identified material weaknesses in the areas ofi\n\n       Program Cost Allocation\n       General Property and Equipment (Property)\n\nCG-LLP identified reportable conditions, not considered to be material weaknesses, which\ninclude the following:\n\n       Information Technology (IT)\n       Integrated Financial Management System\n       Administrative Fines, Civil Penalties and Miscellaneous Receipts\n       Controls Over Procurement and Disbursement Transactions\n       Audit Follow-up\n\x0cReport on Compliance with Laws and Regulations\nFEC management is responsible for complying with laws and regulations applicable to the\nagency. To obtain reasonable assurance about whether FEC\'s financial statements are fi-ee of\nmaterial misstatements, CG-LLP performed tests of compliance with certain provisions of laws\nand regulations, non-compliance with which could have a direct and material effect on the\ndetermination of financial statement amounts, and certain laws and regulations specified in OMB\nBulletin No. 06-03, such as the Anti-Deficiency Act and the Prompt Payment Act.\n\nThe results of CG-LLP\'s tests of compliance with laws and regulations described in the audit\nreport disclosed no instances of noncompliance with the laws and regulations that are required to\nbe reported under Government Auditing Standards and OMB Bulletin No. 06-03.\n\nAudit Follow-up\nThe report on internal control contains numerous recommendations to address weaknesses found\nby the auditors. Management was provided a draft copy of the audit report for comment and\nCG-LLP reviewed management\'s comments. Although CG-LLP stands by the report and the\nweaknesses detailed, the OIG and CG-LLP intend to work with management through the follow-\nup and audit process to ensure the weaknesses are addressed satisfactorily. In accordance with\nOMB Circular No. A-50, Audit Followup, revised, the FEC\'s corrective action plan is to set forth\nthe specific action planned to implement the recommendations and the schedule for\nimplementation. The Commission has designated the Chief Financial Officer to be the audit\nfollow-up official for the annual financial statement audit.\n\nOIG Evaluation of Clifton Gunderson LLP\'s Audit Performance\nIn connection with the OIG\'s contract with CG-LLP, the OIG reviewed CG-LLP\'s reports and\nrelated documentation and inquired of its representatives. Specifically, we performed the\nfollowing: (1) reviewed CG-LLP\'s approach and planning of the audit; (2) evaluated the\nqualifications and independence of the auditors; (3) monitored the work of the auditors\nthroughout the audit; (4) examined audit documents and audit reports to ensure compliance with\nGovernment Auditing Standards and OMB Bulletin No. 06-03; and (5) performed other\nprocedures we deemed necessary.\n\nThe OIG\'s review of CG-LLP\'s work, as differentiated from an audit in accordance with\nGovernment Auditing Standards issued by the Comptroller General of the United States, was not\nintended to enable the OIG to express an opinion on the FEC\'s financial statements; provide\nconclusions about the effectiveness of internal control; or reach conclusions on whether FEC\'s\nmanagement substantially complied with laws and regulations related to the audit. CG-LLP is\nresponsible for the opinion and conclusions reached in the attached reports dated November 15,\n2006. The OIG review disclosed no instances where CG-LLP did not comply, in all material\nrespects, with Government Auditing Standards.\n\x0cIf you should have any questions, please contact my office on (202) 694-1015. We appreciate\nthe courtesies and cooperation extended to Clifton Gunderson LLP and the OIG staff during the\nconduct of the audit.\n\n\n\n\n                                           Lynne A. McFarland\n                                           Inspector General\n\n\nAttachments\n\nCc:    Staff Director\n       General Counsel\n       Acting Chief Financial Officer and Deputy Staff Director for Management\n       Information Technology Director\n       Accounting Officer\n\x0c                                                                               t\n\n\nA1\n                                   Independent Auditor\xe2\x80\x99s Report\n\n\nTo the Inspector General of the\n Federal Election Commission\n\n\nWe have audited the balance sheets of the Federal Election Commission (the FEC) as of\nSeptember 30, 2006 (FY 2006) and 2005 (FY 2005), and the related statements of net cost,\nchanges in net position, budgetary resources, financing, and custodial activity for the years then\nended (hereinafter collectively referred to as the \xe2\x80\x9cfinancial statements\xe2\x80\x9d). These financial\nstatements are the responsibility of the FEC\xe2\x80\x99s management. Our responsibility is to express an\nopinion on these financial statements based on our audits.\n\nExcept as explained in the following paragraph, we conducted our audit in accordance with\nauditing standards generally accepted in the United States of America; the standards applicable\nto financial audits contained in Government Auditing Standards, issued by the Comptroller\nGeneral of the United States; and Office of Management and Budget (OMB) Bulletin No. 06-03,\nAudit Requirements for Federal Financial Statements. Those standards require that we plan and\nperform the audit to obtain reasonable assurance about whether the financial statements are free\nof material misstatement. An audit includes examining, on a test basis, evidence supporting the\namounts and disclosures in the financial statements. An audit also includes assessing the\naccounting principles used and significant estimates made by management, as well as evaluating\nthe overall financial statements\xe2\x80\x99 presentation. We believe our audits provide a reasonable basis\nfor our opinion.\n\nIn FY 2006 and 2005, we were not able to obtain sufficient competent audit evidence to support\nthe allocation of program costs reported on the statements of net cost. As a result, we were not\nable to apply auditing procedures necessary to conduct the audit in accordance with the standards\nand the OMB guidance mentioned above.\n\nIn our opinion, except for the effects of such adjustments, if any, to the FY 2006 and FY 2005\nstatements of net cost referred to in the preceding paragraph, as might have been necessary had\nwe been able to obtain sufficient competent audit evidence and perform adequate audit\nprocedures on the allocation of the program costs, the financial statements present fairly, in all\nmaterial respects, the financial position of the FEC as of September 30, 2006 and 2005, and its\nnet cost, changes in net position, budgetary resources, reconciliation of net cost to budgetary\n\nCenterpark I\n4041 Powder Mill Road, Suite 410\nCalverton, Maryland 20705-3106\ntel: 301-931-2050\n\n\n                                                                                 h\nfax: 301-931-1710                                1 of 30\nwww.cliftoncpa.com                   Offices in 15 states and Washington, DC\n\x0cobligations, financing and custodial activity for the years then ended in conformity with\naccounting principles generally accepted in the United States of America.\n\nIn accordance with Government Auditing Standards, we have also issued our reports dated\nNovember 7, 2006 on our consideration of the FEC\xe2\x80\x99s internal control over financial reporting,\nand on our tests of the FEC\xe2\x80\x99s compliance with certain provisions of laws and regulations and\nother matters. The purpose of those reports is to describe the scope of our testing of internal\ncontrol over financial reporting and compliance and the results of that testing, and not to provide\nan opinion on the internal control over financial reporting or on compliance. Those reports are\nan integral part of our audit performed in accordance with Government Auditing Standards and\nshould be considered in assessing the results of our audit.\n\nOur audits were made for the purpose of forming an opinion on the basic financial statements\ntaken as a whole. The Management Discussion and Analysis, required supplementary\nstewardship information, supplementary information, and other accompanying information\ncontaining a wide range of data, some of which is not directly related to the financial statements.\nWe do not express an opinion on this information. However, we compared this information for\nconsistency with the financial statements and discussed the methods of measurement and\npresentation with the FEC officials. Based on this limited work, we found no material\ninconsistencies with the financial statements or nonconformance with OMB guidance.\n\n\n\na1\nCalverton, Maryland\nNovember 7, 2006\n\n\n\n\n                                             2 of 30\n\x0c                                                                                  t\n\na1\n                   Independent Auditor\xe2\x80\x99s Report on Compliance and Other Matters\n\nTo the Inspector General of the\n Federal Election Commission\n\nWe have audited the financial statements of the Federal Election Commission (FEC) as of and\nfor the year ended September 30, 2006, and have issued our report thereon dated November\n7, 2006. In our report, our opinion was qualified for the effects of adjustments, if any, as might\nhave been necessary had we been able to obtain sufficient competent audit evidence and perform\nadequate audit procedures on the allocation of the program costs in the statement of net cost.\nExcept as described above, we conducted our audit in accordance with auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and Office of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements\nfor Federal Financial Statements.\n\nThe management of FEC is responsible for complying with laws and regulations applicable to\nFEC. As part of obtaining reasonable assurance about whether FEC\xe2\x80\x99s financial statements are\nfree of material misstatements, we performed tests of its compliance with certain provisions of\nlaws and regulations, noncompliance with which could have a direct and material effect on the\ndetermination of financial statement amounts, and certain other laws and regulations specified in\nOMB Bulletin No. 06-03. We limited our tests of compliance to these provisions and we did not\ntest compliance with all laws and regulations applicable to FEC.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with the laws and\nregulations discussed in the preceding paragraph or other matters that are required to be reported\nunder Government Auditing Standards and OMB Bulletin No. 06-03.\n\nProviding an opinion on compliance with certain provisions of laws and regulations was not an\nobjective of our audit, and accordingly, we do not express such an opinion.\n\nWe noted certain immaterial instances of noncompliance that we have reported to management\nof FEC in a separate letter dated November 7, 2006.\n\nThis report is intended solely for the information and use of the management of FEC, FEC\nOffice of Inspector General, Government Accountability Office, OMB and Congress, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\na1\nCalverton, Maryland\nNovember 7, 2006\nCenterpark I\n4041 Powder Mill Road, Suite 410\nCalverton, Maryland 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710\nwww.cliftoncpa.com\n                                              Page 3 of 30\n                                        Offices in 15 states and Washington, DC      h\n\x0c                                                                                   t\n\n\nA1\n                             Independent Auditor\xe2\x80\x99s Report on Internal Control\n\n\nTo the Inspector General of the\n Federal Election Commission\n\n\nWe have audited the financial statements of the Federal Election Commission (the FEC) as of\nand for the year ended September 30, 2006, and have issued our report dated November 7, 2006.\nIn our report, our opinion was qualified for the effects of adjustments, if any, as might have been\nnecessary had we been able to obtain sufficient competent audit evidence and perform adequate\naudit procedures on the allocation of the program costs in the statement of net cost. Except as\ndescribed above, we conducted our audit in accordance with auditing standards generally\naccepted in the United States of America; the standards applicable to financial audits contained\nin Government Auditing Standards, issued by the Comptroller General of the United States; and\nOffice of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal\nFinancial Statements.\n\nIn planning and performing our audit, we considered the FEC\xe2\x80\x99s internal control over financial\nreporting by obtaining an understanding of the FEC\xe2\x80\x99s internal control; determining whether\ninternal controls had been placed in operation; assessing control risk; and performing tests of\ncontrols in order to determine our auditing procedures for the purpose of expressing our opinion\non the financial statements. We limited our internal control testing to those controls necessary to\nachieve the objectives described in OMB Bulletin No. 06-03. We did not test all internal\ncontrols relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) (31 U.S.C. 3512), such as those controls relevant to ensuring efficient\noperations. The objective of our audit was not to provide assurance on internal control.\nConsequently, we do not provide an opinion on internal control.\n\nOur consideration of the internal control over financial reporting would not necessarily disclose\nall matters in the internal control over financial reporting that might be reportable conditions.\nUnder standards issued by the American Institute of Certified Public Accountants, reportable\nconditions are matters coming to our attention relating to significant deficiencies in the design or\noperation of the internal control that, in our judgment, could adversely affect the agency\xe2\x80\x99s ability\nto record, process, summarize, and report financial data consistent with the assertions by\nmanagement in the financial statements. Material weaknesses are reportable conditions in which\nthe design or operation of one or more of the internal control components does not reduce to a\nrelatively low level the risk that misstatements caused by error or fraud in amounts that would be\n\nCenterpark I\n4041 Powder Mill Road, Suite 410\nCalverton, Maryland 20705-3106\ntel: 301-931-2050\n\n\n                                                                                   h\nfax: 301-931-1710                                 Page 4 of 30\nwww.cliftoncpa.com                       Offices in 15 states and Washington, DC\n\x0cmaterial in relation to the financial statements being audited may occur and not be detected\nwithin a timely period by employees in the normal course of performing their assigned functions.\nBecause of inherent limitations in internal controls, misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. However, we noted certain matters discussed in the\nfollowing paragraphs involving the internal control and its operation that we consider to be\nmaterial weaknesses and reportable conditions.\n\nFinally, with respect to internal control related to performance measures reported in the FEC\xe2\x80\x99s\nPerformance and Accountability Report as of September 30, 2006, we obtained an understanding\nof the design of significant internal controls relating to the existence and completeness\nassertions, as required by OMB Bulletin No. 06-03. Our procedures were not designed to\nprovide assurance on internal control over reported performance measures, and, accordingly, we\ndo not provide an opinion on such controls.\n\n                            ********************************\n\nMATERIAL WEAKNESSES\n\nI.     Program Cost Allocation (Modified Repeat Finding)\n\n       The FEC has made significant progress in the area of cost accounting. In the last half of\n       FY 2006, the FEC implemented a new cost accounting system called the Time Reporting\n       System (TRS). The TRS automates and standardizes the cost accumulation and the\n       allocation of program costs. Training on the new cost system was conducted, and a\n       memorandum from the Chief Financial Officer was issued to ensure that employees\n       understand and know the importance of and how to use the new system. Also, towards\n       the end of the fiscal year, the FEC has identified its responsibility segments and the need\n       for re-alignment of its organizational structure for performance costing, has identified the\n       outputs of its responsibility segments and is in the process of revising its cost accounting\n       policies and procedures.\n\n       The FEC program costs are driven by hours charged by each employee to activity codes\n       that roll up to the specific FEC programs. The results of our tests disclosed that\n       completeness, timeliness and discrepancies between the source data and the system data\n       are the key deficiencies identified in the new cost system. As a result, we were not able\n       to obtain reasonable assurance on the costs reported for each program on the statement of\n       net cost. We understand that the FEC is still in the process of fine tuning its processes\n       and controls to ensure that data input into the system are complete, timely, and are\n       supported by an audit trail that agrees with the source data coming from the employees.\n\n       Other system deficiencies and exceptions noted, which may or may not have been\n       corrected during the audit process are as follows:\n\n       \xe2\x80\xa2   The new cost system password settings do not follow the FEC\xe2\x80\x99s password standards.\n           The account lockout threshold is set at seven invalid attempts instead of five invalid\n           attempts.\n\n\n\n                                          Page 5 of 30\n\x0c\xe2\x80\xa2   The FEC does not have a formal process for ensuring that hours are entered in the\n    system timely and correctly, that is, to the correct activity codes that will correspond\n    to the correct program codes. Further, a review process is not implemented\n    Commission-wide.\n\xe2\x80\xa2   The cost allocation percentages used in preparing the initial statement of net costs\n    were incorrect because the FEC did not follow the reallocation process outlined in the\n    system conceptual design document. Specifically, hours which should have been\n    reallocated to the division only were reallocated Commission-wide.\n\xe2\x80\xa2   The system default allocation for the Information Division improperly allocated hours\n    to the Compliance program when the hours should have been allocated to the Public\n    Financing program.\n\nRecommendations:\n\n1. Revise the account lockout threshold in TRS to five invalid attempts.\n\n2. Establish written policies and procedures to ensure that employees enter their time in\n   the cost system timely and properly and the results are supported by source data\n   which is reviewed and approved by management.\n\n3. Ensure correct and consistent application of the cost allocation process in accordance\n   with the cost system user manual and conceptual design document.\n\n4. Ensure errors in TRS causing the system to allocate hours for the Information\n   Division to the wrong program are resolved.\n\nManagement Response\n\nOverall, the FEC agrees with this finding. Management will change the lockout threshold\nin TRS to five invalid attempts (#1 above). The FEC will also strengthen written policies\nand procedures, including management approval to ensure data is entered correctly in\nTRS (#2). Guidance will also be issued to ensure operators understand the sequence of\nsteps necessary to perform the allocations correctly (#3). Further, the FEC will consider\nbuilding controls into the software to prevent errors in performing the steps. If cost\neffective, the FEC will implement the changes in FY 2007. The errors in TRS related to\nthe allocation of errors for the Information Division were corrected prior to the\nconclusion of the audit (#4).\n\nThe audit finding acknowledges considerable progress in the area of cost accounting in\nFY 2006. However, the FEC is disappointed that CG did not raise issues with the source\ndata until late in the audit. If the issues had been raised earlier, steps would have been\ntaken to correct the data.\n\n\n\n\n                                   Page 6 of 30\n\x0c      Auditor\xe2\x80\x99s Response\n\n      The FEC delayed full implementation of the new cost allocation process until the fourth\n      quarter of 2006. As a result, the auditors and management came to an understanding that\n      the substantive testing would be performed at year end, when the program costs are\n      reported on the statement of net cost using the new cost system, rather than testing at\n      interim (ending June 2006). The auditors believe concerns regarding the cost allocation\n      process were promptly communicated to management once weaknesses were discovered.\n\nII.   General Property and Equipment (Property) (Modified Repeat Finding)\n\n      As noted in the prior year, the FEC\xe2\x80\x99s accounting for property involves a time-consuming\n      effort that increases the risk of errors due to the FEC\xe2\x80\x99s process of expensing its property\n      at the time of acquisition and preparing a journal voucher to reclassify the expense to an\n      asset account for reporting purposes.\n\n      Our audit disclosed deficiencies, errors or omissions that question the effectiveness of the\n      FEC\xe2\x80\x99s internal control on property. The weaknesses identified below collectively\n      resulted in a material weakness in the FEC\xe2\x80\x99s general property and equipment.\n\n      \xe2\x80\xa2   Management\xe2\x80\x99s periodic property reconciliation process and review of related\n          subsidiary schedules and journal vouchers did not uncover errors during the year.\n          These errors were uncovered during the audit process. Specifically, the errors\n          included duplicate entries to record first quarter additions to leasehold improvements\n          and adjustments needed to accrue costs.\n      \xe2\x80\xa2   Additionally, journal entries to transfer property amounts from the expense to asset\n          accounts were posted to the wrong United States Standard General Ledger (USSGL)\n          account. The posting errors were detected during the interim testing phase of the\n          audit process. The posting errors continued into the fourth quarter of the fiscal year\n          (FY) and were again detected as part of the audit process. Journal entries to correct\n          the aforementioned errors were posted to the general ledger more than once or were\n          done incorrectly.\n      \xe2\x80\xa2   Although the number of the FEC\xe2\x80\x99s capitalized assets reported in the financial\n          statements is not many, most of these assets are bulk purchases comprised of many\n          individual items which are individually entered into the property system for\n          accountability purposes. The information contained in the property system is not\n          always complete. We found that some items in the property system did not have the\n          bar code identification, serial number and location of the asset.\n      \xe2\x80\xa2   Although we were informed a physical inventory of capitalized assets had been\n          performed, the FEC did not provide: the instructions used to complete the annual\n          inventory of assets; complete results; and reconciliation of the physical inventory to\n          the property system and the general ledger balance.\n      \xe2\x80\xa2   The FEC has not established a standard process, mechanism or policy to ensure that\n          program offices notify the Finance Office of the acquisition or disposition of property\n          assets to ensure that the accounting impact of the transaction is recorded timely and\n          properly.\n\n\n                                         Page 7 of 30\n\x0c\xe2\x80\xa2   Management\xe2\x80\x99s monthly analysis of financial activities did not show an analysis of\n    property.\n\nRecommendations:\n\n5. Improve analytical and quality control review of subsidiary schedules, journal\n   vouchers and property reconciliation to ensure material errors and differences are\n   identified and resolved timely.\n\n6. Use correct USSGL accounts.\n\n7. Develop a mechanism for reconciling individual property items in the property\n   system to the bulk purchases recorded in the general ledger to ensure completeness of\n   the property system records. Also, ensure that the property management system has\n   complete information, such as bar code identification, serial number and location of\n   the asset.\n\n8. Clearly document physical inventory procedures, results of the physical inventory,\n   and the reconciliation performed. Maintain the documentation for audit trail and\n   management review purposes.\n\n9. Establish a standard process, mechanism or policy to ensure program offices notify\n   the Finance Office of the acquisition and disposition of property assets.\n\n10. Perform a monthly analysis of property as part of the monthly analysis of financial\n    activities.\n\nManagement Response\n\nThe FEC agrees with findings and recommendations but not its classification as a\nMaterial Weakness. In FY 2007, the FEC will make an effort to review spreadsheets (#1\nabove) and journals (#2) more thoroughly to catch errors. The FEC will update its\ninternal directive on property for the custodians to prescribe forms to assist with the\nreconciling of detailed records to the property system (#3), taking of physical inventory\n(#4) and the acquisition and disposal of assets (#5). Also, management will consider\nadding property reports to the monthly analysis prepared by the Accounting Officer (#6).\n\nAuditor\xe2\x80\x99s Response\n\nWe have carefully reviewed the FEC management response, however we have not\nchanged our conclusion that the general property and equipment weaknesses evaluated\ncollectively is a material weakness.\n\n\n\n\n                                   Page 8 of 30\n\x0cREPORTABLE CONDITIONS\n\nIII.   Information Technology (IT)\n\n       A. Entity-Wide Security Program\n\n          The Government Accountability Office (GAO) reported in July 2005 that the\n          underlying cause for information security weaknesses is that agencies have not yet\n          fully implemented entity-wide information security programs. An entity-wide\n          security program provides a framework and continuing cycle of activity for managing\n          risk, developing security policies, assigning responsibilities, and monitoring the\n          adequacy of the entity\xe2\x80\x99s computer-related controls. Without a well-designed\n          program, security controls may be inadequate; responsibilities may be unclear,\n          misunderstood, and improperly implemented; and controls may be inconsistently\n          applied. Such conditions may lead to insufficient protection of sensitive or critical\n          resources and disproportionately high expenditures for controls over low-risk\n          resources. (U.S. Government Accountability Office, Weaknesses Persist at Federal\n          Agencies Despite Progress Made in Implementing Related Statutory Requirements,\n          GAO-05-552 [Washington, D.C. July 2005]).\n\n          Improvement is needed in the FEC\xe2\x80\x99s enterprise-wide security management program\n          as indicated in the prior year audit. During our FY 2006 review of the FEC\'s existing\n          security program, we noted that the FEC made the following progress:\n\n          \xe2\x80\xa2   The FEC\xe2\x80\x99s management solicited bids for risk assessments. The risk assessment\n              and business impact analysis are key components in the development of security\n              plans and disaster recovery plans. In FY 2006, the FEC\xe2\x80\x99s management\n              determined that it did not have the funds available to conduct risk assessments or\n              a business impact analysis. The FEC\xe2\x80\x99s management is currently allocating funds\n              in its FY 2007 budget to complete these tasks.\n          \xe2\x80\xa2   The FEC\xe2\x80\x99s management revised its Security Review Policy. The revised policy\n              calls on management to perform annual external penetration tests, disaster\n              recovery tests, incidence response tests, network vulnerability studies and a\n              review of access control procedures. Additionally, the FEC performed a review\n              of its firewall rule-set to identify and modify/delete obsolete rules.\n\n          Our review of the FEC\'s existing security program revealed continuing weaknesses in\n          controls that expose the FEC\'s significant financial management systems and data to\n          unauthorized access and/or modification. Weaknesses included the following:\n\n          \xe2\x80\xa2   The FEC has not completed the documentation, approval and implementation of\n              its entity-wide security program plan. (Repeat Finding)\n          \xe2\x80\xa2   The FEC has not fully implemented its framework of policies and standards to\n              mitigate risks associated with the management of its information resources.\n              Although the FEC has implemented the majority of its information security\n              policies, it has not fully implemented all of the related policies and standards.\n\n\n                                         Page 9 of 30\n\x0c    The FEC has not finalized and implemented an information classification policy\n    or its certification and accreditation policy. Management is currently not ready to\n    implement these policies and is in the process of reviewing and revising them.\n    (Repeat Finding)\n\xe2\x80\xa2   Risk assessments, as part of the FEC\xe2\x80\x99s overall strategy to mitigate risks associated\n    with its information technology environment, have not been conducted for more\n    than three years. Therefore, resource classifications in the FEC\xe2\x80\x99s completed\n    security plans are not based on risk assessments. The FEC informed us that it is\n    currently waiting for the availability of funds to complete a risk assessment.\n    (Repeat Finding)\n\xe2\x80\xa2   The FEC has created security plans for all of its major applications and mission\n    critical general support systems. However, the security plans are not viable\n    because they are not based on an assessment of the risks to the FEC\xe2\x80\x99s systems.\n    Accordingly, these major applications and mission critical general support\n    systems have not been certified and accredited to ensure that they are operating\n    according to the FEC\xe2\x80\x99s security requirements. (Modified Repeat Finding)\n\xe2\x80\xa2   There are weaknesses in the FEC\xe2\x80\x99s program for the continuous monitoring and\n    evaluation of the computer security policy and control effectiveness. The FEC\n    has implemented its security review policy and performed all of the review steps\n    outlined in the policy. However, a key part of a continuous monitoring program\n    is a process for documenting and monitoring the status of corrective actions.\n    Although the FEC has a corrective action plan for the CFO audit, the corrective\n    action plan is not being applied to all reviews of security controls. (Modified\n    Repeat Finding)\n\xe2\x80\xa2   The FEC needs to strengthen its process of documenting corrective actions. A\n    corrective action plan should identify the task to be completed in addition to\n    identifying the resources required to accomplish the elements of the plan, any\n    milestones in meeting the tasks, and scheduled completion dates for the\n    milestones. The FEC\xe2\x80\x99s corrective action plans identify the issue that needs to be\n    addressed, but does not always include the persons assigned to the task, estimated\n    completion dates, and steps or milestones necessary to complete the task.\n    (Modified Repeat Finding)\n\nRecommendations:\n\n11. Complete the documentation, approval and implementation of an entity-wide\n    security program plan.\n\nManagement Response\n\nIn November 1997, the FEC established Directive 58, outlining the Commission\npolicy on the control of commission software, and the use of agency computers. This\ndirective formed the basis of the agency\xe2\x80\x99s computer security program. This directive\nhas been enhanced and expanded incorporating the latest guidance and best\npractices provided by NIST in detail, and issued in policy 58A. The updating of\nDirective 58 was initiated in December 2001 with the establishment of an agency\n\n\n                               Page 10 of 30\n\x0cInformation Systems Security Officer. This was followed with the establishment of an\ninterim Information System Security Program Policy 58A dated April 2004. This\ninterim policy became final in September 2004 as approved by the agency\xe2\x80\x99s Chief\nInformation Officer (CIO). The implementation of the FEC entity wide security\nprogram plan occurred on October 2004, when the FEC issued a memo informing all\nemployees/contractors that \xe2\x80\x9cInformation System Security Program Policy\xe2\x80\x9d Policy\nNumber: 58A was approved and should be adhered to by all employees/contractors.\n\n12. Finalize and implement the FEC\xe2\x80\x99s information classification policy and\n    certification and accreditation policy along with any accompanying standards.\n\nManagement Response\n\nThe FEC reserves the right to review, rescind, and modify any existing and/or\nproposed policy within its IT security program policy. The Information Classification\nand Certification and Accreditation policies were rescinded from the implementation\nprocess to study their suitability and feasibility within the FEC information\ntechnology environment. In addition, both policies are heavily dependent upon the\ncompletion of a third party risk assessment prior to implementation. In absence of\nthese assessments a management decision was made to rescind these policies until\nsuch time as to their successful implementation can be reasonably assured.\n\n13. Perform risk assessments, as part of the FEC\xe2\x80\x99s overall strategy to mitigate risks\n    associated with its information technology environment.\n\nManagement Response\n\nAs a vital component of the Information Systems Security Program Policy (ISSPP)\n58A, the FEC has developed and approved sub-policy 58-2.1: Risk Management\npolicy. This policy establishes a framework of procedures and standards to mitigate\nrisks associated with the management of information resources. 58-2.1 Risk\nManagement Policy states that external risk assessments should be performed within\nthe recommended 3 year period; however, current budgetary restraints have\nprevented this.\n\nThe FEC management has completed the Statement of Work (SOW) and the FEC\nmanagement has received proposals from three vendors and is currently reviewing\nthe proposals. In addition, the FEC has allocated funds in fiscal 2007 (pending no\nfurther budgetary constraints) to partially accomplish this goal. Until greater\nresources are allocated toward this project, the FEC shall continue to conduct its\nown internal reviews such as those specified in its Security Review Policy.\n\n14. Incorporate the results of the risk assessments into the FEC\xe2\x80\x99s security plans.\n\n15. Classify information resources in accordance with the risk assessments.\n\n\n\n\n                               Page 11 of 30\n\x0c   Management Response\n\n   The FEC has created security plans, which document the security safeguards for its\n   major applications and general support system. As stated in previous responses the\n   FEC was unable to conduct third-party risk assessments due to budgetary restraints,\n   however in the absence of such assessments the Commission has leveraged the\n   considerable knowledge, skills, and experience of the Information Technology\n   Division senior management to create security plans based upon appropriate levels\n   of risk\n\n   16. Utilize corrective action plans for all reviews of security controls whether\n       performed internally or by a third-party.\n\n   17. Ensure that corrective action plans identify the task to be completed in addition to\n       identifying the resources required to accomplish the elements of the plan, any\n       milestones in meeting the tasks, and scheduled completion dates for the\n       milestones.\n\n   Management Response\n\n   The FEC has instituted a comprehensive process for the continuous monitoring and\n   evaluation of the computer security policy and control effectiveness that it believes is\n   sufficient for an effective review and appraisal of its policy and procedures.\n   However, in an effort to enhance the financial auditors understanding of the FEC\n   Information Technology Division\xe2\x80\x99s internal work processes, the FEC will review and\n   consider a revised format.\n\n   18. Certify and accredit all major applications and mission critical general support\n       systems.\n\n   Management Response\n\n   Same response as in recommendations 14 and 15.\n\nB. Contingency Plan\n\n   Losing the capability to process and protect information maintained on the FEC\xe2\x80\x99s\n   computer systems can significantly impact the FEC\xe2\x80\x99s ability to accomplish its\n   mission to serve the public. The purpose of service continuity controls is to ensure\n   that, when unexpected events occur, critical operations continue without interruption\n   or critical operations are promptly resumed.\n\n   To achieve this objective, the FEC should have procedures in place to protect\n   information resources and minimize the risk of unplanned interruptions and a plan to\n   recover critical operations should interruptions occur. These plans should consider\n   activities performed at the FEC\xe2\x80\x99s general support facilities (e.g. the FEC\xe2\x80\x99s local area\n\n\n\n                                  Page 12 of 30\n\x0cnetwork, wide area network, and telecommunications facilities), as well as the\nactivities performed by users of specific applications. To determine whether the\ndisaster recovery plans will work as intended, the FEC should establish and\nperiodically test the capability to perform its functions in disaster simulation\nexercises.\n\nOur review of the service continuity controls identified deficiencies that could affect\nthe FEC\xe2\x80\x99s ability to respond to a disruption in business operations as a result of a\ndisaster or other long-term emergency. The deficiencies were as follows:\n\n\xe2\x80\xa2   The FEC has not performed a Business Impact Analysis (BIA) to formally\n    identify and prioritize all critical data and operations on its networks and the\n    resources needed to recover them if there is a major interruption or disaster. In\n    addition, we could not determine whether the FEC had established emergency\n    processing priorities that will help manage disaster situations more effectively for\n    the network. The FEC also has not included business owners in the discussion to\n    determine how much backup data is needed on-hand to minimize the impact of a\n    disaster. The FEC is currently waiting for the budgetary funds to complete a BIA.\n    (Repeat Finding)\n\xe2\x80\xa2   The FEC has not established an alternate processing site for its operations in the\n    event of a disaster, including its general ledger system. Additionally, the FEC\xe2\x80\x99s\n    disclosure database is replicated at an off-site location as a web-enabled read-only\n    database the public can access. In the event that data cannot be updated at the\n    FEC and then replicated to the off-site location, there is no operational\n    mechanism to update the disclosure database at the off-site location. The FEC has\n    developed a cost analysis of establishing an alternate site and is currently pursuing\n    interagency agreements to address this issue. (Repeat Finding)\n\xe2\x80\xa2   The FEC has not developed and documented a comprehensive contingency plan\n    of its data centers, networks and telecommunication facilities. The plan does not\n    include steps for recovering all of the FEC\xe2\x80\x99s major applications and mission\n    critical general support systems. Additionally, the comprehensive contingency\n    plan does not prioritize resources or set a timeframe for recovery. However, the\n    FEC has updated the disaster recovery plan to include both a power failure\n    scenario and a data center air-condition failure scenario. (Repeat Finding)\n\xe2\x80\xa2   The FEC has not developed a Continuity of Operations Plan (COOP) to support\n    the continuation of its core mission in the event of a disaster that renders the\n    FEC\xe2\x80\x99s facilities unusable. (Repeat Finding)\n\nRecommendations:\n\n19. Perform a BIA to formally identify and prioritize all critical data and operations\n    on the FEC\xe2\x80\x99s networks and the resources needed to recover them if there is a\n    major interruption or disaster.\n\n\n\n\n                               Page 13 of 30\n\x0c   Management Response\n\n   The FEC agrees that a formal business impact analysis would be useful and it is\n   currently awaiting funds to complete the project. In lieu of a formal BIA the FEC has\n   leveraged its own internal expertise to identify and prioritize its critical data and\n   operations on the FEC\xe2\x80\x99s networks and the resources needed to recover them if there\n   is a major interruption or disaster.\n\n   20. Ensure that emergency processing priorities are established to assist in managing\n       disaster situations more effectively for the network and include business owners\n       in the discussion to determine how much backup data is needed on-hand to\n       minimize the impact of a disaster.\n\n   Management Response\n\n   The FEC has developed emergency processing priorities. These emergency process\n   priorities have been outlined in the FEC\xe2\x80\x99s Disaster Recovery Plan.\n\n   21. Establish an alternative processing site for the FEC\xe2\x80\x99s operations in the event of a\n       disaster and ensure that an operational mechanism exists to update the disclosure\n       database in the event that the FEC\xe2\x80\x99s database is unavailable to replicate the\n       disclosure database resident at the off-site location.\n\n   Management Response\n\n   The FEC believes that the cost to establish an alternative processing site would be\n   cost prohibitive and would not be cost effective. Therefore, an alternative processing\n   site is not part of the FEC budget request.\n\n   22. Develop and document a comprehensive COOP of the FEC\xe2\x80\x99s data centers,\n       networks, and telecommunication facilities.\n\n   23. Develop a COOP to support the continuation of the FEC\xe2\x80\x99s core mission in the\n       event of a disaster that renders the FEC\xe2\x80\x99s facilities unusable.\n\n   Management Response\n\n   The FEC agrees that a Continuity of Operations Plan would be useful and it is\n   currently awaiting funds to complete the project.\n\nC. Controls to Protect Information\n\n   For a computerized organization like the FEC, achieving an adequate level of\n   information protection is highly dependent upon maintaining consistently effective\n   access controls and system software controls. Access controls limit and monitor\n   access to computer resources (i.e., data files, application programs, and computer-\n   related facilities and equipment) to the extent necessary to provide reasonable\n\n\n                                  Page 14 of 30\n\x0cassurance that these resources are protected against waste, loss, unauthorized\nmodification, disclosure, or misappropriation. Access controls include logical\ncontrols, such as security software programs designed to prevent or detect\nunauthorized access to sensitive files. Similarly, system software controls limit and\nmonitor access to powerful programs and sensitive files that control computer\nprocessing and secure the application and data supported by the system.\n\nOur limited testing of internal controls identified weaknesses related to the\ninformation protection in the FEC\xe2\x80\x99s information systems environment. Impacted\nareas included the local area and wide area networks as well as its midrange computer\nsystems (e.g. servers). These vulnerabilities expose the FEC and its computer\nsystems to risks of external and internal intrusion, and subject sensitive information\nrelated to its major applications to potential unauthorized access, modification, and/or\ndisclosure.\n\nCurrent weaknesses in access controls include the following:\n\n\xe2\x80\xa2   The FEC is not actively monitoring the use of budgetary overrides in the general\n    ledger (GL) application. The FEC is currently finalizing a process where the\n    chief financial officer will review the use of overrides on a monthly basis and\n    initial the override log to show that overrides have been reviewed. (Repeat\n    Finding)\n\xe2\x80\xa2   The PeopleSoft application does not have the built in functionality to enforce the\n    FEC\xe2\x80\x99s password policy. Additionally, the mitigating controls implemented by the\n    FEC do not address the following weaknesses: (Modified Repeat Finding)\n\n    o PeopleSoft does not have an account lockout policy.\n    o PeopleSoft does not prevent users from using previous passwords.\n    o PeopleSoft does not have the ability to enforce strong password requirements.\n\n\xe2\x80\xa2   Oracle audit trails were not maintained on the FEC\xe2\x80\x99s servers. The FEC maintains\n    audit trails at the application level, but not the database level because of the\n    potential impact to production. However, we have not been provided any\n    documentation to show that the FEC has conducted a test to determine what the\n    impact on processing would be.\n\xe2\x80\xa2   The FEC\xe2\x80\x99s procedure for granting access to its networks, systems, and physical\n    facility through access authorization e-mails needs improvement. Additionally,\n    the FEC\xe2\x80\x99s procedure for reviewing and recertifying user access rights needs\n    improvement. We noted the following weaknesses in the access reauthorization\n    process, in addition to weaknesses in the access authorization e-mails used to\n    document and grant access rights and privileges: (Modified Repeat Finding)\n\n    o Seven out of 30 individuals reviewed did not have e-mails to document their\n      network access.\n    o Seven out of 30 individuals have network access rights that did not match\n      their access requests.\n\n\n                               Page 15 of 30\n\x0c   o Thirteen of 30 individuals\xe2\x80\x99 network access e-mails did not identify the\n     network groupings that the user should have access to.\n   o Four dial-in users did not have access documentation on file and were not on\n     the list of users with laptops.\n   o Two VPN users were not on the list of users with laptops. Additionally, these\n     two users are employees of the FEC that should have the FEC\xe2\x80\x99s laptops.\n   o All 17 of the dial-in users did not have their access periodically recertified.\n   o One separated employee still had a dial-in account.\n   o Data center access documentation was not available for 19 users.\n     Additionally, there was no evidence that data center access was periodically\n     recertified.\n   o Access documentation was not maintained for system administrators and\n     database administrators. The FEC\xe2\x80\x99s current policy is to grant employees\n     access based on their positions. According to the FEC, only employees hired\n     to perform administrative functions are granted administrative access.\n     However, \xe2\x80\x9cbest practices\xe2\x80\x9d state that access forms should be maintained.\n   o There were 21 individuals with access to the data center that did not have a\n     justifiable need (based on job functionality) to have data center access.\n\nRecommendations:\n\n24. Finalize and implement the FEC\xe2\x80\x99s process to manually review logs of users using\n    budgetary overrides where the reviewer is an individual who does not have access\n    to utilize the overrides.\n\nManagement Response\n\nBudget overrides are rarely used by the FEC. They are only used when transactions\ncannot be processed any other way. In most cases budget errors result in funds being\nmoved from another object class. This eliminates the error rather than overrides the\ncontrol. Effective with the August reports, the CFO began signing off on a control\nreport that lists all budget overrides used. The Accounting Officer and Budget Officer\nrun reports independently for the CFO to approve. The FEC agrees this is an\nimportant safeguard. No budgets have been exceeded without management approval.\n\n25. Develop mitigating controls to ensure that PeopleSoft passwords are in agreement\n    with the FEC\xe2\x80\x99s policy or ensure that when PeopleSoft processing is outsourced,\n    the third-party maintains password controls that comply with the FEC\xe2\x80\x99s password\n    policies.\n\nManagement Response\n\nThe current version of PeopleSoft does not contain any mechanisms for the\nautomated enforcement of passwords. The FEC is aware of this vulnerability and the\nrisk associated with this version of PeopleSoft\xe2\x80\x99s lack of automated authentication\nenforcement. The FEC has implemented a series of compensating controls consisting\n\n\n\n                              Page 16 of 30\n\x0c   of additional user awareness training, policy issuance, and manual enforcement to\n   mitigate associated risk. The FEC understands and accepts the residual risk until an\n   automated solution can be found. In addition, the FEC plans to ensure that\n   automated password enforcement is either native or a third-party maintains password\n   controls that comply with the FEC\xe2\x80\x99s password policy when PeopleSoft Processing is\n   outsourced.\n\n   26. Use access request forms that identify the user\xe2\x80\x99s access level to document user\n       access rights to all the FEC\xe2\x80\x99s systems. Additionally, the FEC should periodically\n       review the appropriateness of access granted and recertify user access rights.\n\n   Management Response\n\n   The FEC utilizes either an email from management or the new hire report from\n   Human Resources as user access request forms. In addition, the FEC periodically\n   revalidates all network access for appropriateness as dictated by 58-2.11 Security\n   Review Policy\n\n   27. Investigate to determine a baseline level of auditing that can be performed without\n       causing a detrimental impact to the performance of the Oracle databases and the\n       applications that they support.\n\n   Management Response\n\n   In the normal course of business, performance indicators are monitored to ensure\n   application stability. This constant monitoring provided the FEC with the\n   information needed to determine that the enabling of Oracle audit trails would prove\n   an unnecessary hindrance to system performance. The FEC recognizes the risk\n   associated with not enabling Oracle audit trails and has initiated audit trails at the\n   application level and limited database access to a select number of persons as two\n   compensating controls. The FEC understands and accepts any residual risk left from\n   this process.\n\n   28. Periodically review data center access and remove unnecessary access rights.\n\n   Management Response\n\n   Although the FEC maintains an accurate list of those persons requiring access to its\n   Datacenter the requirement for maintaining supporting documentation is a recent\n   one. The FEC is currently evaluating the necessity of adding the Datacenter access\n   list to its 58-2.11 Security Review Policy to ensure that periodic recertification will\n   occur.\n\nD. Software Development and Change Controls\n\n   Establishing controls over the modification of application software programs helps to\n   ensure that only authorized programs and authorized modifications are implemented.\n\n\n                                 Page 17 of 30\n\x0cThis is accomplished by instituting policies, procedures, and techniques that help\nmake sure all programs and program modifications are properly authorized, tested,\nand approved, and that access to and distribution of programs is carefully controlled.\nWithout proper controls, there is a risk that security features could be inadvertently or\ndeliberately omitted or "turned off" or that processing irregularities or malicious code\ncould be introduced.\n\nOur review of the software development and change controls identified deficiencies\nthat could affect the FEC\xe2\x80\x99s ability to ensure that only authorized programs and\nauthorized modifications are implemented. The deficiencies were as follows:\n\n\xe2\x80\xa2   The FEC has not implemented a formal process for identifying, documenting,\n    testing and installing security patches and updates to its Oracle, UNIX and\n    Windows environments.\n\xe2\x80\xa2   The FEC does not maintain documentation evidencing that Oracle and Solaris\n    patches are tested and approved before being installed into production.\n\xe2\x80\xa2   The PeopleSoft application is currently supported by an Oracle 8 database that is\n    no longer supported by the vendor.\n\nRecommendations:\n\n29. Implement formal policies and procedures for managing system software changes.\n\n30. Maintain documentation to support the testing and approval of system software\n    changes.\n\nManagement Response\n\nThe FEC has developed and implemented a comprehensive set of policies and\nprocedures for managing system changes.           These include 58-2.3 Change\nManagement Policy and the FEC Change Management Standard. In addition, based\nupon early feedback from the financial auditors the FEC instituted the FEC Patch\nManagement Standard on 10/04/06.\n\n31. Complete the migration of financial processing to a third-party service provider\n    and verify that the service provider is utilizing vendor supported system software\n    versions.\n\nManagement Response\n\nDue to legacy issues associated with some of the FEC applications the current\nversion of Oracle 8 is required. Although the vendor no longer provides patches for\nthis version of Oracle it does provide limited support, which includes assisting\ncustomers with work-arounds to issues that may arise. In addition, the FEC has built\na considerable amount of experience and internal expertise over the years that this\nproduct has been in its inventory.\n\n\n                               Page 18 of 30\n\x0c         The FEC recognizes the risk associated with maintaining a product with limited\n         support. Accordingly, the FEC is relying upon its considerable internal expertise,\n         restricted access to only a few persons and Oracle\xe2\x80\x99s limited support as compensating\n         factors until the migration of financial processing to a third-party service provider is\n         implemented. The FEC understands and accepts any residual risk left from this\n         situation. Additionally, the FEC plans to verify that any third party service provider\n         has adequate support during the migration of its financial processing.\n\nIV.   Integrated Financial Management System (Repeat Finding)\n\n      The FEC does not have an integrated financial management system. Significant financial\n      management systems, such as the cost system, accounts receivable system and the\n      property and equipment system do not interface with the general ledger system.\n\n      A single, integrated financial management system is a unified set of financial systems\n      linked together electronically in an efficient and effective manner to provide agency-wide\n      financial system support. Integration means that the user is able to have one view into\n      systems such that, at whatever level the individual is using the system, he or she can\n      obtain necessary information efficiently and effectively through electronic means. It does\n      not necessarily mean having only one software application covering all financial\n      management system needs within an agency. Interfaces are acceptable as long as the\n      supporting details are maintained and accessible to managers. Interface linkages must be\n      electronic unless the number of transactions is so small that it is not cost beneficial to\n      automate the interface. Easy reconciliation between systems, where interface linkage is\n      appropriate, must be maintained to ensure data accuracy.\n\n      Recommendation:\n\n      32. Evaluate the extent of systems integration needed for existing systems when\n          considering the outsourcing of the FEC\xe2\x80\x99s accounting services to a shared service\n          provider.\n\n      Management Response\n\n      The FEC agrees with this finding and recommendation. The FEC is actively pursuing\n      securing the services of a financial line of business provider in FY 2007 or early FY\n      2008.\n\nV.    Administrative Fines, Civil Penalties and Miscellaneous Receipts (Modified Repeat\n      Finding)\n\n      The program offices serve as the primary source of information related to accounts\n      receivable transactions which should be recorded in the general ledger by the Finance\n      Office. Accounting events requiring recordation in the general ledger include assessment\n      of administrative fines and civil penalties, determination of an uncollectible debt and\n      payment by a respondent. On a monthly basis, civil penalty and administrative fine\n\n\n\n                                        Page 19 of 30\n\x0c      activities are initially reported to the Finance Office by the program offices in a memo.\n      These memos are used by the Finance Office to update the accounts receivable subsidiary\n      schedule that serves as the basis for accounts receivable transactions recorded in the\n      general ledger. The information submitted by the program offices is augmented by more\n      detailed information obtained from the FEC website and collection reports prepared by\n      the Finance Office. The schedules are reconciled to the program offices\xe2\x80\x99 records and\n      submitted to management for review and approval.\n\n      Our audit found the aforementioned reconciliation and management review were\n      ineffective in detecting: mathematical or classification errors; and accounts receivable\n      balances recorded for the wrong amount.\n\n      Further, the methodology used to determine allowance for doubtful accounts is not\n      formally documented or fully disclosed in the financial statements.\n\n      Recommendations:\n\n      33. Implement policies and procedures for reviewing the accounts receivable schedules\n          for reasonableness and accuracy prior to recording related account transactions in the\n          general ledger.\n\n      34. Formalize policies and procedures for performing accounts receivable reconciliations.\n          While developing these procedures, the FEC should consider establishing a timeline\n          for when the reconciliations should be finalized by the program offices and forwarded\n          to the Finance Office.\n\n      35. Document all the methodologies applied in calculating allowance for uncollectible\n          accounts. Periodically review the methodologies against actual procedures performed\n          and revise them as necessary.\n\n      Management Response\n\n      The FEC agrees with these findings and recommendations 33, 34, and 35. Significant\n      progress was made in the receivables area in FY 2006. The findings in this area were\n      mainly the result of errors in cells of the new spreadsheets and have been corrected. In\n      FY 2007, we intend to improve further by: a) issuing a directive for receivables\n      management; b) review the spreadsheets more thoroughly; c) working with Treasury to\n      ensure better reports and; d) improve documentation of the allowance for uncollectible\n      accounts.\n\nVI.   Controls Over Procurement and Disbursement Transactions\n\n      The weaknesses identified below collectively resulted in a reportable condition in the\n      FEC\xe2\x80\x99s procurement processes.\n\n      \xe2\x80\xa2   Several procurement documents meeting the criteria for approval by the\n          Commissioners were not submitted to the Commission for approval or the\n\n\n                                        Page 20 of 30\n\x0c    Commissioners\xe2\x80\x99 approval was not clearly documented or provided to us for review.\n    Other procurement transactions were not approved by all the individuals in the\n    approval chain or were signed by the same individual for more than one position in\n    the approval chain.\n\xe2\x80\xa2   For one of 45 sample items the total obligations and disbursements exceeded the\n    contract amount. Although the disbursements were determined to be legitimate, the\n    contract was not modified for the increase in obligation.\n\xe2\x80\xa2   There were several incidents where documents intended to support approval of\n    procurement and disbursement actions were not properly submitted for approval,\n    supported or maintained by the agency.\n\xe2\x80\xa2   Accounts payable reconciliations were not always timely prepared by the FEC\xe2\x80\x99s\n    personnel and approved by management.\n\nGAO Standards for Internal Control in the Federal Government states that transactions\nand other significant events should be authorized and executed by persons acting within\nthe scope of their authority. This is a principal means of assuring that only valid\ntransactions to exchange, transfer, use or commit resources and other events are initiated\nor entered into. Evidence of approval should be clearly documented and readily available\nfor examination. Further, key duties and responsibilities need to be divided or segregated\namong different people to reduce the risk of error or fraud.\n\nRecommendations:\n\n36. Issue formal guidance for performing corrective action when negative obligation\n    balances occur. Procedures should describe the conditions when corrective action is\n    needed, corrective actions to perform and the individuals responsible for resolving the\n    error. The timely response and clear communication on corrective action should also\n    be included in the procedures.\n\n37. Ensure documentation related to procurement and disbursement actions are properly\n    approved and supported. Procurement policies and procedures should be enhanced to\n    document, completely and clearly, operating procedures for the procurement cycle\n    and should include procedures for documenting justification when exceptions are\n    made to established procedures.\n\n38. Ensure reconciliations are consistently performed, reviewed and approved in a timely\n    manner.\n\nManagement Response\n\nThe FEC agrees with these findings and recommendations 36, 37, and 38. The FEC will\nissue additional internal guidance on how to handle negative obligations (#36). The\nAdministrative Officer issued updated guidance to clarify signatures needed on\nprocurement documents in early FY 2007. The FEC Procurement Directive will be\nupdated in FY 2007 to reflect this change (#37). The FEC will address the timeliness of\nreconciliations with appropriate staff members (#38).\n\n\n                                  Page 21 of 30\n\x0cVII.   Audit Follow-up\n\n       Establishing a comprehensive system for audit follow-up helps to ensure prompt and\n       proper implementation of corrective action on identified internal control deficiencies.\n       Accordingly, OMB Circular A-50, Audit Follow-up, requires an agency to establish an\n       audit follow-up system which includes, among other provisions: 1) resolution and\n       corrective action on audit recommendations within six months following final report\n       issuance; 2) specific and written plans for corrective action with specified action dates; 3)\n       a complete and accurate record of the status of audit reports or recommendations through\n       the entire process of resolution and corrective action and 4) semi-annual report to the\n       agency head on the status of audit report recommendations.\n\n       The FEC was not able to provide the May 2006 report detailing the status of audit\n       recommendation submitted to the Commissioners as required by the FEC Directive 50\n       Audit Follow-up, revised April 2006. During the audit period, we recognized that the\n       Audit Follow-up Official for the financial audit was in the process of establishing a\n       follow-up system. However, we identified deficiencies in the follow-up system that\n       could affect the FEC\xe2\x80\x99s ability to ensure prompt and proper resolution of audit findings\n       and recommendations. The deficiencies were as follows:\n\n       \xe2\x80\xa2   Sections of the audit follow-up matrix for the financial statement audit are maintained\n           in various locations within the agency. A separate matrix for Information\n           Technology and non-Information Technology related recommendations are\n           maintained by the Chief Information Officer and Accounting Officer, respectively.\n           The financial audit Audit Follow-up Official does not maintain a consolidated matrix\n           nor does he have ready access to the matrix for Information Technology related audit\n           findings. During the FY 2006 financial statement audit, significant effort on the part\n           of the FEC personnel and multiple requests from the auditors was needed to\n           determine the status of FY 2005 financial statement audit recommendations. The\n           FEC\xe2\x80\x99s procedures for the corrective action matrix compromises the financial\n           statement Audit Follow-up Official\xe2\x80\x99s ability to monitor the remediation process for\n           audit findings and implement additional corrective action, where necessary.\n       \xe2\x80\xa2   The matrix for the FY 2005 financial statement audit findings was not complete. It\n           did not include the corrective action plan, or targeted and actual completion dates\n           and/or responsible party for several recommendations.\n       \xe2\x80\xa2   The FEC has not formalized a methodology or timetable for updating the matrix with\n           the current status of corrective action plans and/or revised targeted and/or completion\n           dates. During the FY 2006 audit, we noted the current status of the corrective action\n           plan or target date of completion was not always updated in the matrices provided to\n           the auditors. As such, management\xe2\x80\x99s assertion regarding the status of audit\n           recommendations was not always correct.\n\n       Recommendation:\n\n       39. Formalize the remediation process related to audit findings and recommendations that\n           is consistent with OMB Circular A-50 guidelines.\n\n\n                                          Page 22 of 30\n\x0c       Management Response\n\n       The FEC agrees with the finding and the recommendation. In FY 2006, the FEC\n       developed a detailed matrix for ITD and accounting findings which will be monitored\n       closely by the CFO. The first follow-up report is expected to be sent to the Commission\n       through the Staff Director in November 2006.\n\nOTHER MATTER\n\nOMB Bulletin No. 06-03 requires that the auditor\xe2\x80\x99s report on internal control \xe2\x80\x9cidentify those\nmaterial weaknesses disclosed by the audit that were not reported in the reporting entity\xe2\x80\x99s\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) report.\xe2\x80\x9d The FEC\xe2\x80\x99s schedule of material\nweaknesses and non-conformances included in the PAR did not identify the material weaknesses\nnoted in the FY 2006 Independent Auditor\xe2\x80\x99s Report on Internal Control. We do not believe,\nhowever, that failure to report these material weaknesses in FMFIA constitutes a separate\nreportable condition or a material weakness because different criteria are used by management\nand the auditors in determining material weaknesses.\n\nSTATUS OF PRIOR YEAR CONDITIONS\n\nAs required by Government Auditing Standards and OMB Bulletin No. 06-03, we have reviewed\nthe status of the FEC\xe2\x80\x99s corrective actions with respect to the findings and recommendations from\nthe previous year\xe2\x80\x99s report on internal controls. We have attached Appendix A to our report that\npresents the status of prior year findings and recommendations.\n\n                            ********************************\n\nIn addition to the material weaknesses and reportable conditions described above, we noted\ncertain matters involving internal control and its operation that we reported to the management of\nthe FEC in a separate letter dated November 7, 2006.\n\nThis report is intended solely for the information and use of the management of the FEC, the\nFEC Office of Inspector General, GAO, OMB, and Congress, and is not intended to be and\nshould not be used by anyone other than these specified parties.\n\n\n\na1\nCalverton, Maryland\nNovember 7, 2006\n\n\n\n\n                                          Page 23 of 30\n\x0c                                APPENDIX A\n                      FEDERAL ELECTION COMMISSION\n           STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                              September 30, 2006\n\n\n  Recommendation No.        Condition/Audit Area            Recommendation                  Current Status\nMaterial Weaknesses\nI. Cost Accounting System and Processes\n           1              Cost Allocation               Establish formal and         Open\n                          Methodology                   comprehensive cost\n                                                        allocation methodology\n                                                        and related policy and\n                                                        procedures.\n           2                Cost Allocation             Cross-train employees to     Closed\n                            Methodology                 minimize the risks of\n                                                        major interruptions in\n                                                        normal business\n                                                        operations.\n           3                Cost Allocation             Establish a review process   Open\n                            Methodology                 wherein a person, other\n                                                        than the preparer, reviews\n                                                        the work performed to\n                                                        ensure accuracy and\n                                                        propriety.\n           4                Cost Allocation             Maintain audit trials to     Open.\n                            Methodology                 support the allocation\n                                                        methodology and amounts.\n           5                Managerial Cost             Evaluate the functional      Closed\n                            Accounting                  requirements for the new\n                                                        cost accounting system to\n                                                        ensure that the minimum\n                                                        level of cost accounting\n                                                        required in SFFAS No. 4\n                                                        is attained.\nII. Administrative Fines, Civil Penalties and Miscellaneous Receipts\n           6                Administrative Fines,       Establish and implement      Open. Now a reportable\n                            Civil Penalties and Misc.   policy and procedures        condition.\n                            Receipts                    ensuring communication\n                                                        and coordination between\n                                                        program offices and\n                                                        Finance Office on\n                                                        activities with financial\n                                                        impact. The policy should\n                                                        also clearly establish the\n                                                        FEC\'s revenue recognition\n                                                        policy. The Finance\n                                                        Office should design a\n                                                        standard report outlining\n                                                        all the necessary\n                                                        information to record the\n                                                        financial activities. The\n                                                        report should be prepared\n                                                        and submitted timely at\n                                                        least monthly by the\n                                                        program offices to the\n                                                        Finance Office.\n\n\n\n                                               Page 24 of 30\n\x0c                                 APPENDIX A\n                       FEDERAL ELECTION COMMISSION\n            STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                               September 30, 2006\n\n\n\n  Recommendation No.          Condition/Audit Area          Recommendation                    Current Status\nII. Administrative Fines, Civil Penalties and Miscellaneous Receipts\n           7                Administrative Fines,       Document the policy and        Partially closed. Although\n                            Civil Penalties and Misc.   basis for the allowance for    the FEC had documented\n                            Receipts                    uncollectible accounts.        the policy, the\n                                                                                       documentation for the\n                                                                                       basis for the allowance for\n                                                                                       uncollectible accounts was\n                                                                                       not complete. The FEC\n                                                                                       uses other methodologies\n                                                                                       that were not documented.\nIII. General Property and Equipment\n           8               Property, Plant and           Reconcile the total of the    Open\n                           Equipment                     individual property items\n                                                         in the property system to\n                                                         the bulk purchase total\n                                                         recorded in the books to\n                                                         ensure completeness of the\n                                                         property system records.\n            9               Property, Plant and          Document physical             Open\n                            Equipment                    inventory procedures,\n                                                         results, and reconciliation\n                                                         and maintain the\n                                                         documentation for audit\n                                                         trail purposes.\n           10               Property, Plant and          Revise the software           Closed\n                            Equipment                    capitalization policy to\n                                                         comply with SFFAS No.\n                                                         10.\n           11               Property, Plant and          Enforce compliance and        Open \xe2\x80\x93 Now a reportable\n                            Equipment                    consistent implementation     condition reported under\n                                                         of policies and procedures    Controls Over\n                                                         related to completing         Procurement and\n                                                         receiving reports and the     Disbursement\n                                                         review and approval of        Transactions.\n                                                         obligating memos or\n                                                         documents.\n           12               Property, Plant and          Establish a standard          Open\n                            Equipment                    process and policy where\n                                                         program offices are\n                                                         required to notify the\n                                                         Finance Office of any\n                                                         property acquisition or\n                                                         disposition with\n                                                         accounting impact to\n                                                         ensure proper and timely\n                                                         recording of the\n                                                         transaction.\n\n\n\n\n                                                  Page 25 of 30\n\x0c                               APPENDIX A\n                     FEDERAL ELECTION COMMISSION\n          STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                             September 30, 2006\n\n\n\n  Recommendation No.        Condition/Audit Area        Recommendation                 Current Status\nIV. Information Technology\n           13             Entity-Wide Security      Implement a framework of       Open. Now a reportable\n                          Program                   policies and standards to      condition.\n                                                    mitigate risks associated\n                                                    with the information\n                                                    resources management.\n          14              Entity-Wide Security      Complete the                   Open. Now a reportable\n                          Program                   documentation, approval,       condition.\n                                                    and implementation of an\n                                                    entity-wide security\n                                                    program plan.\n          15              Entity-Wide Security      Develop and implement          Open. Now a reportable\n                          Program                   security plans for all major   condition.\n                                                    applications and MCGSS\n                                                    as part of a risk mitigation\n                                                    strategy.\n          16              Entity-Wide Security      Ensure that Resource           Open. Now a reportable\n                          Program                   Classifications in the         condition.\n                                                    FEC\'s security plans\n                                                    accurately reflect the risk\n                                                    and vulnerability of the\n                                                    FEC systems.\n          17              Entity-Wide Security      Complete the                   Open. Now a reportable\n                          Program                   implementation of the          condition.\n                                                    program for the\n                                                    continuous monitoring and\n                                                    evaluation of the computer\n                                                    security policy and control\n                                                    effectiveness.\n          18              Entity-Wide Security      Conduct risk assessments       Open. Now a reportable\n                          Program                   at least every three years     condition.\n                                                    as part of an overall\n                                                    strategy to mitigate risks\n                                                    associated with its\n                                                    information technology\n                                                    environment.\n          19              Entity-Wide Security      Certify that the major         Open. Now a reportable\n                          Program                   applications and MCGSS         condition.\n                                                    are operating according to\n                                                    the FEC\'s security\n                                                    requirements.\n\n\n\n\n                                             Page 26 of 30\n\x0c                             APPENDIX A\n                   FEDERAL ELECTION COMMISSION\n        STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                           September 30, 2006\n\n\n\nRecommendation No.     Condition/Audit Area            Recommendation                Current Status\n       20            Entity-Wide Security         Strengthen the FEC\'s          Open. Now a reportable\n                     Program                      program to document           condition.\n                                                  corrective actions and\n                                                  verify that weaknesses\n                                                  identified have been\n                                                  addressed. Ensure and\n                                                  document that\n                                                  recommendations from the\n                                                  most recent network\n                                                  security review have been\n                                                  implemented.\n        21           Controls to Protect          Create a new GL system        Closed\n                     Information                  application role to give\n                                                  employees with necessary\n                                                  and appropriate access\n                                                  rights to fulfill their job\n                                                  responsibility.\n        22           Controls to Protect          Monitor and record visitor    Closed\n                     Information                  access to the data center.\n        23           Controls to Protect          Use access request forms      Open. Now a reportable\n                     Information                  to document user access       condition.\n                                                  rights and periodically\n                                                  review the access for\n                                                  appropriateness.\n        24           Controls to Protect          Develop mitigating            Open. Now a reportable\n                     Information                  controls to ensure that GL    condition.\n                                                  system passwords are in\n                                                  agreement with the FEC\n                                                  policy.\n        25           Controls to Protect          Automatically log network     Closed\n                     Information                  activity as required by the\n                                                  Audit Events Standards.\n        26           Controls to Protect          Institute a process to        Open. Now a reportable\n                     Information                  manually review logs of       condition.\n                                                  users using budgetary\n                                                  overrides where the\n                                                  reviewer is an individual\n                                                  who does not have access\n                                                  to utilize the overrides.\n        27           Controls to Protect          Periodically review the       Closed\n                     Information                  firewall rule set for\n                                                  appropriateness.\n        28           Controls to Protect          Periodically review LAN       Open. Now a reportable\n                     Information                  user accounts and disable     condition.\n                                                  unnecessary user accounts.\n\n\n\n\n                                           Page 27 of 30\n\x0c                             APPENDIX A\n                   FEDERAL ELECTION COMMISSION\n        STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                           September 30, 2006\n\n\n\nRecommendation No.    Condition/Audit Area          Recommendation                  Current Status\n       29            Contingency Plan          Perform a Business Impact       Open. Now a reportable\n                                               Analysis to formally            condition.\n                                               identify and prioritize all\n                                               critical data and operations\n                                               on the FEC\'s networks and\n                                               the resources needed to\n                                               recover them if there is a\n                                               major interruption or\n                                               disaster. Ensure that\n                                               emergency processing\n                                               priorities are established to\n                                               assist in managing disaster\n                                               situations more effectively\n                                               for the network and\n                                               include business owners in\n                                               the discussion to\n                                               determine how much\n                                               backup data is needed on-\n                                               hand to minimize the\n                                               impact of a disaster.\n        30           Contingency Plan          Establish alternative           Open. Now a reportable\n                                               processing site for the         condition.\n                                               FEC\'s operations in the\n                                               event of a disaster and\n                                               ensure that an operational\n                                               mechanism exists to\n                                               update the disclosure\n                                               database in the event that\n                                               the FEC database is\n                                               unavailable to replicate the\n                                               disclosure database\n                                               resident at the off-site\n                                               location.\n        31           Contingency Plan          Develop a Continuity of         Open. Now a reportable\n                                               Operations Plan (COOP)          condition.\n                                               to support the continuation\n                                               of the FEC\'s core mission\n                                               in the event of a disaster\n                                               that renders the FEC\'s\n                                               facilities unusable.\n        32           Contingency Plan          Develop and document a          Open. Now a reportable\n                                               comprehensive                   condition.\n                                               contingency of operations\n                                               plan of the FEC\'s data\n                                               centers, networks, and\n                                               telecommunication\n                                               facilities.\n\n\n\n\n                                        Page 28 of 30\n\x0c                                APPENDIX A\n                      FEDERAL ELECTION COMMISSION\n           STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                              September 30, 2006\n\n\n\n Recommendation No.        Condition/Audit Area            Recommendation                 Current Status\n        33               Software Development          Fully implement the           Closed\n                         and Change Control            System Development Life\n                                                       Cycle Methodology.\nReportable Conditions\nV. Financial Reporting\n           34            General Ledger System         Ensure that corrections       Closed\n                         Setup and Posting Model       made to the posting logic\n                         Definition                    comply with the USSGL\n                                                       and that the USSGL\n                                                       accounts and posting logic\n                                                       are updated as changes to\n                                                       USSGL are issued.\n          35             Continuing Resolution         Comply with the               Closed\n                         Accounting                    continuing resolution\n                                                       accounting scenario\n                                                       prescribed by the US\n                                                       Treasury in accordance\n                                                       with memorandum issued\n                                                       by OMB.\n          36             Integrated Financial          Continue to assess the        Open\n                         Management                    degree of integration\n                                                       necessary to have a single,\n                                                       unified financial system by\n                                                       evaluating the functional\n                                                       requirements and the costs\n                                                       and benefits of integrating\n                                                       the financial reporting,\n                                                       property and equipment,\n                                                       receivable and the cost\n                                                       systems with the GL\n                                                       system.\nVI. Payroll\n           37            Payroll                       Implement procedures to       Closed\n                                                       ensure that leave\n                                                       adjustments are\n                                                       completely processed and\n                                                       transmitted to the service\n                                                       provider.\n          38             Payroll                       Maintain in the personnel     Closed\n                                                       files all payroll deduction\n                                                       authorization forms\n                                                       initiated through the FEC,\n                                                       i.e. not done directly by\n                                                       the employee with the\n                                                       service provider.\n\n\n\n\n                                                Page 29 of 30\n\x0c                             APPENDIX A\n                   FEDERAL ELECTION COMMISSION\n        STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                           September 30, 2006\n\n\n\nRecommendation No.    Condition/Audit Area        Recommendation                 Current Status\n       39            Payroll                 Ensure that timekeepers:       Closed\n                                             perform the bi-weekly\n                                             reconciliation between\n                                             leave balances reported in\n                                             its records and the service\n                                             provider\'s records; and\n                                             submit the bi-weekly leave\n                                             balance certification to the\n                                             Finance Office timely.\n        40           Payroll                 Implement procedures for       Closed\n                                             ensuring all payroll and\n                                             personnel documents are\n                                             properly completed and\n                                             authorized before payroll\n                                             data is transmitted to the\n                                             payroll service provider\n                                             for processing.\n        41           Payroll                 Consider automating            Closed. Now in\n                                             payroll processing to          Management Letter.\n                                             decrease the risk of error.\n\n\n\n\n                                     Page 30 of 30\n\x0c'